sponsored links

In a GNU/Linux system every file or folder has some access permissions. There are three types of permissions (what allowed to do with a file of any kind, directory included):

(r)read access
(w)write access
(e)execute access

There are also other “special” permissions, but for this article the basic permissions will be enough to illustrate how umask works, and the permissions are defined for three types of users:

(U) the owner of the file
(G) the group that the owner belongs to
(O) All the other users

umask (user mask) is a command and a function in POSIX environments that sets the file mode creation mask of the current process which limits the permission modes for files and directories created by the process. A process may change the file mode creation mask with umask and the new value is inherited by child processes.

In practice with umask you can define the permissions of the new files that your process will create.

The user mask contains the octal values of the permissions you want to set for all the new files and to calculate the value of the umask subtract the value of the permissions you want to get from 666 (for a file) or 777 (for a directory).

The remainder is the value to use with the umask command.
For example, suppose you want to change the default mode for files to 664 (rw-rw-r–). The difference between 666 and 664 is 002, which is the value you would use as an argument to the umask command.

Or just use this handy table

umask Octal Value

File Permissions

Directory Permissions

0

rw-

rwx

1

rw-

rw-

2

r--

r-x

3

r--

r--

4

-w-

-wx

5

-w-

-w-

6

--x

--x

7

--- (none)

--- (none)

In this article I’ll show you in practice how to use umask to change the permissions of the new files:, so open a terminal and follow me in this small list of commands and examples

1) Check your permissions

Let’s create a file in /tmp

cd/tmp
touch firstfile
ls-l firstfile

You’ll have an output like this one:

-rw-r--r--1 root root 0 Dec 323:34 firstfile

That’s a default, as you can see, looking from the left, the user that has created the file (root for me) can read and write the file, the group (root) can only read it and all the others can read the file, that’s the standard umask with a value of 0022, to check the umask that you are using in a terminal you can issue the command umask without any argument.

root@myserv:/tmp# umask
0022

2) Change the default umask

So now we know that the umask is 0022 that produces files with the -rw-r–r– permissions, but in many cases you want to give to your colleagues the write permission to directory and files that you create, so to calculate the new umask we translate the permissions -rw-rw-r– in their octal representation, that is: 664 and subtract this number from 666, the result is the umask you want to set in your shell:

umask 0002
cd/tmp
touch secondfile
ls-l secondfile

And this time you’ll get this output:

-rw-rw-r--1 root root 0 Dec 423:16 secondfile

3) Setup umask for process and daemons

Sometimes you have processes and daemons that create files, and you want to manage the permissions of these files, a typical example that comes to my mind is an apache httpd server that creates files with uploads or with some scripts and once they are created you want to modify these files with your username that shares the same group of apache, how to do it ?

In general you have to put the command umask in the script that is used to start the daemon or in files included in the start, so for apache this could be /etc/init.d/apache2 (debian) or much better in the environment file that is included, /etc/apache2/envvars (debian)

4) Setup Default umask for the whole system

So now you know how to change the umask in a working terminal, or session, but how to change it permanently ?
To change the umask for just an user the easiest way is to set the command umask NEWUMASK in the ~/.bashrc file of that user (assuming that he’s using bash) or in the equivalent file that is loaded at the start of his session by his shell.

To change the umask for all your users you have to change some system setting and these depends on your Linux Distribution:

Debian 6, Ubuntu and Mint

In Debian this can be handled with the help of a PAM modules, pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created files, to enable/change these permissions edit the files:

/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive

And in each of these files add the line:

session optional pam_umask.so umask=0002

In this way all sessions will use the 0002 umask giving to the group the permission to write to files and directories.

Red Hat 6 and Centos 6

In these distributions the generic umask is wrote in the file /etc/bashrc, if you open it (as root) and you search for the word “umask” you’ll find something similar to these lines:

# By default, we want umask to get set. This sets it for non-login shell.# Current threshold for system reserved uid/gids is 200# You could check uidgid reservation validity in# /usr/share/doc/setup-*/uidgid fileif[$UID-gt199]&&["`id -gn`" = "`id -un`"]; thenumask 002
elseumask 022
fi

These lines set an umask of 002 for all the username whose uid is greater than 199 and the group name is the same of the user name.
So to change the umask for everyone you could simply change all these lines in this line: